Cyber Security Blog

The next big thing in cybercrime? Here are the FBI’s ones to watch…

If you’re a Federal Agent who happens to fight cybercrime, what sort of stuff lands on your desk? The latest Internet Crime Report paints a picture. And as well as featuring an annual summary of the activities of the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), it also includes a useful roundup of trends to watch.

Based on nearly 300,000 complaints filed in the previous calendar year, here are the FBI’s “Hot Topics”: three specific threat types that the Feds say we should be most worried about…

Business Email Compromise (BEC)

We’re not talking about email hacking just for the sake of it here (that’s classed as Email Account Compromise - and although it’s a necessary part of BEC, it’s not the whole story).

With BEC, we’re dealing with a very specific kind of threat; a sophisticated scam based around wire transfer payments. With a little digging (LinkedIn, website bios, that sort of thing), a criminal can quickly identify who’s likely to hold the purse strings within an organisation. The scam is carried out when a hacker compromises legitimate business email accounts through social engineering or hacking techniques to conduct unauthorized transfers of funds.

It’s a global problem. On this side of the Pond, we know it better as mandate fraud and only this month, City AM was reporting that fraudsters had used it to make off with £32 million in the previous year. The Met says that it’s now the third most popular way of scamming a business, behind fraudulent bank cards and employee theft.

So here’s a piece of research that shouldn’t come as any surprise: of all the people in your company most likely to be targeted in an email scam, your Chief Financial Officer comes top.

The moral? Regardless of what she tells you, your CFO hasn’t got “more important things to do” than turn up to your next cyber security scrumdown.

Ransomware

Never mind a year; a week is a long time in cyber security. Last year, IC3 apparently received 2,673 complaints linked to ransomware with losses of over $2.4 million.

Although it has long been on the radar of the cyber security community, it’s fair to say that as 2016 drew to a close, the issue of ransomware wasn’t yet mainstream headline news. The WannaCry attack in May - closely followed by Petya - changed all that.

WannaCry infected an estimated 300,000 endpoints and such was the scale of the attack that it warranted a meeting of the UK government’s Cobra crisis committee.

Threat detection, strategic backup, proper patch management and adequate hygiene (not least, making sure your people know what and what not to click on): these are the areas all businesses should be focused on to reduce the threat.

Tech support fraud

IC3 received 10,850 complaints relating to this type of fraud, with losses exceeding $7.8 million. Again, it’s a highly-targeted strategy, only this time it’s more likely to involve your IT team than your accounts staff.

The perpetrator makes contact with the business and offers what sounds like a fantastic tech support package. The victim bites - and is subsequently asked for remote access to a device. The request sounds reasonable (after all this person is now the company’s remote ‘support guy’). Once in, there’s the potential to cause all manner of damage, from a quick “smash and grab” of customer account data through to the installation of spyware.

The fact that this has been flagged up by the FBI is a reminder of the importance of doing your homework. A swish website, a convincing salesman, a too-good-to-be-true deal: these should never be enough in themselves to cause you to enter into any kind of relationship with a third party provider.

Attacks get personal

What do all three of the FBI’s “Hot Topics” have in common? For one, they each demand some action on the part of your people to become live. And especially when it comes to BEC and tech support fraud, these are honed, targeted and personal attacks. If you’re worth compromising, chances are that threat actors will be willing to do a little digging to get the attack right. So be ready for it.

About Nathan House

Nathan House BSc. CISSP. CISM. CISA. CEH. ISO 27001 LA, is the founder and CEO of Station X. He has over 24 years experience in cyber security where he has advised some of the largest companies in the world, assuring security on multi-million and multi-billion pound projects. More recently he acted as the lead security consultant on a number of the UKs mobile banking and payment solutions helping secure to date over £71Bn in transactions. These clients included COOP Banking Group, Smile.co.uk, Royal Bank of Scotland, Natwest, VISA and Yorkshire bank. He is an expert in SCADA and ICS security having consulted to companies such as BG Group, BP, ExxonMobil, Shell and GSK. Over the years he has spoken at a number of security conferences, developed free security tools, discovered serious security vulnerabilities in leading applications and is generally considered a thought leader in cyber security.